Full Report
Imagine this: You’re an attacker ready to get their hands on valuable data that you can sell to afford going on a sweet vacation. You do your research, your recon, everything, ensuring that there’s no way this can go wrong. The day of the attack, you brew some coffee, crack your knuckles, and get started. A few hours into the service scan, you come to realize that all the network ports are open, but in use. The post GoSpoof – Turning Attacks into Intel appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: GoSpoof
## Overview
GoSpoof is a deception tool designed to disrupt attack operations and generate actionable intelligence for Security Operations Center (SOC) teams. It serves as a modernized version of the older tool, Portspoof, built using Golang to incorporate advanced cyber-deception features. Its primary goal is to waste the attacker's time while collecting detailed logs of their activities.
## Technical Details
- Type: Tool (Deception/Honeypot)
- Platform: Linux (indicated by use of `systemd` and `iptables` examples)
- Capabilities: Port spoofing, acting as a honeypot, logging attacker activity (IPs, timestamps, data sent), persistence mechanism, connection tunneling back to the attacker ("RubberGlue"), built-in Command Center web interface.
- First Seen: Mentioned on October 29, 2025 (publication date).
## MITRE ATT&CK Mapping
Since GoSpoof is a defensive counter-measure tool, its use maps to defensive tactics, but its function aims to counteract techniques used by attackers during the initial reconnaissance and interaction phases.
- **TA0008 - Lateral Movement** (Relevant if the tool influences lateral movement attempts by confusing the attacker)
- **T1566 - Phishing** (If used to lure interaction based on perceived services)
- **TA0009 - Collection** (The tool collects attacker data)
- **T1538 - Data Staged** (The log files stage the collected attacker data)
- **TA0011 - Command and Control** (If the "RubberGlue" functionality is used offensively/defensively to analyze C2 traffic)
## Functionality
### Core Capabilities
* **Port Spoofing:** Presents fake network banners during scanning (e.g., Nmap), confusing reconnaissance efforts.
* **Honeypot Mode (`-honey`):** Logs incoming IP addresses, dates, timestamps, and data sent by the attacker, saving this information to `honeypot.log`.
* **Command Center (WebUI):** Provides a web interface for SOC analysts to visualize collected data, including charts of top attacking IPs ("Attackers" page) and filtered details of sent payloads ("Payloads" page).
### Advanced Features
* **Persistence (`--boot`):** Creates a `systemd` service to ensure the tool runs automatically on system boot, saving configured flags.
* **"RubberGlue":** Tunnels connections back to the attacker, effectively making the attacker attack their own system and logging all intercepted traffic in `hash.txt` files.
* **Lightweight Operation:** Emphasized as being easy to deploy and effective at reducing attacker Return on Investment (ROI).
## Indicators of Compromise
*Note: Since GoSpoof is a defensive tool, the following are indicators of its *deployment* or artifacts it *creates*, rather than typical malware IOCs.*
- File Hashes: (Not explicitly provided in the text)
- File Names: `gospoof`, `honeypot.log`, `hash.txt` (directories/files for logging)
- Registry Keys: (Not applicable/mentioned for Linux persistence via `systemd`)
- Network Indicators: (None specified, as it often listens or spoofs responses locally)
- Behavioral Indicators:
* System responding to port scans with unexpected or fake service banners (e.g., Hydra/Fuzzing failing against expected endpoints).
* Creation of a `systemd` service named related to GoSpoof for persistence.
* Detection of connections being tunneled back to the originating attacker IP via the "RubberGlue" feature.
## Associated Threat Actors
This tool is explicitly presented as a **defensive security tool** developed/promoted by Black Hills Information Security (BHIS Intern Ivan Casamalhuapa). It is intended for use by Blue Teams and SOC analysts.
## Detection Methods
*Detection would focus on identifying the running service or the setup process.*
- Signature-based detection: Signatures for the GoSpoof binary or known command-line arguments (`-honey`, `-WebUI`, `--boot`).
- Behavioral detection: Monitoring for the installation of a new `systemd` service related to networking/deception, or unexpected network traffic redirection to the attacker source (RubberGlue).
- YARA rules: (Not provided)
## Mitigation Strategies
*Mitigation strategies are focused on preventing the successful compromise of systems that attackers might be targeting, rather than stopping the use of this defensive tool.*
- Prevention measures: Employing robust asset management to prevent unauthorized deception tooling from being active on production systems.
- Hardening recommendations: Standard vulnerability management to reduce the initial attack surface the deception tool needs to cover.
## Related Tools/Techniques
* **Portspoof:** The predecessor tool that GoSpoof modernizes.
* **Honeypots:** Generally any system designed to attract, trap, and study attackers.
* **Cyber Deception Tools:** Categorically similar software that aims to mislead adversaries.